In this short article, I will go over how to generate an SSL/TLS certificate via LetsEncrypt.org and store it in Azure Key Vault for usage in different products in Azure such as Front Door.
The certificate is generated by the certbot on Mac with DNS challenge, to being with install certbox via brew or your choice of a package manager. If you are using any other OS, you can check out the https://certbot.eff.org for installing the corresponding OS distribution.
brew install certbot
Once installed start the process by the command below, certbot will provide you instructions to manually update a TXT record for the domain that you are trying to generate SSL/TLS certificate
certbot certonly --manual --preferred-challenges dns
Once it is completed, it will generate several files called fullchain.pem, privkey.pem, etc. To make it easier operation, I will convert it into a pfx file via openssl, so will use the domain.pfx in the next step.
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out domain.pfx
Adding to the Azure Key Vault
Azure Key Vault lets you easily provision, manage, and deploy public and private TLS/SSL certificates for use with Azure and your internal connected resources.
In case you do not have a Resource Group you can create it via the following command, if you have an existing Resource Group that you want to add to your Key Vault, you can skip this step.
az group create --name kvResourceGroup --location northeurope
If you have a Key Vault provisioned, you can skip this step, if not, create a new Key Vault with:
az keyvault create --name myKeyVaultXn4 --resource-group kvResourceGroup --location northeurope
Next, simply import the certificate by using domain.pfx file:
az keyvault certificate import --vault-name myKeyVaultXn4 --name my-tls-cert --file domain.pfx
Finally, verify again that the certificate added:
az keyvault certificate show --name my-tls-cert --vault-name myKeyVaultXn4
With that, you should be able to use the certificate in different Azure technologies. The process described above is manual, the preferred way is to extend the certificate automatically before the certificate expires.